I’m really sorry I haven’t posted in the last few days. Believe it or not, it’s for a good cause. I’ve been very busy writing a new domain scanner called Fierce. I was performing an audit a few weeks ago and I realized that it was taking me a long time to uncover hosts that I needed to perform audits on. I was using all sorts of tactics but it was still taking a long time (almost a day just to find 4 hosts that could have been interesting and only one of them turned out to be). The hosts were no where near each other physically or in terms of IP space, rendering tools like nmap and unicornscan nearly useless. That frustrating experience in web application security auditing forced me to write a perl scanner named Fierce.
Some of you will remember that I wrote a tool to uncover “internal.company.name” and “intranet.company.name” servers in the Alexa top 100. Well that was interesting, but it was only a precursor to Fierce. Fierce takes that same idea and magnifies it to over 300 requests. Further when it finds something on an IP it attempts to traverse up and down that IP range (within the class C) looking for other hosts that match your domain of interest using reverse DNS (or a supplemental pattern match that I added on top of it).
As a result, in just a few minutes of scanning you can uncover hundreds of hosts that are normally either not publically known or even route-able for that matter and that may be on completely separate networks. It’s actually very fast for a scanner, because it doesn’t actually try to connect to any of the machines in question, it only queries your DNS server and the DNS server of the target.
Click here to find out more about Fierce. There are a few other tools out there that attempt to do some things like this, but I wrote this because I found it to be far more effective at initial discovery (this is sort of a modern day version of host -l for those of you who were around in the early days when no one understood security). This is obviously a beta and will obviously miss stuff given how it works, but I plan on making it a lot more robust and I plan on adding a few more tests that I think will yield a lot more interesting results in the future. Questions and comments are welcome.
Happy new years, everyone!